The Trump administration has unleashed a number of aggressive actions blocking China from access to those parts of the transnational digital economy anchored in the United States. These actions are based on the premise that exposure to Chinese ICT products and services are national security threats, because China’s Communist government will exploit them to access data about American users and networks.
On September 8, China issued a response. It is an 8-part data security framework that, Beijing claims, is designed to balance “an open, fair and non-discriminatory business environment for mutual benefit” with national governments’ “responsibility and right to ensure the security of important data and personal information bearing on their national security, economic security, and social stability.”
In some ways the response is promising. It is diplomatic. The Chinese are not targeting exposed American companies such as Apple or Microsoft in the same way that the U.S. is targeting Huawei, WeChat and ByteDance. Verbally, at least, the Chinese are promoting multilateral cooperation in the pursuit of data security rather than unilateral tit-for-tat actions and reactions. The framework recognizes many commonly held cyber norms in the West, such as the idea that “ICT …providers should not install backdoors in their products and services to illegally obtain users’ data, control or manipulate users’ systems and devices.”
The reassuring words of the framework, however, only create an illusion of potential comity. They paper over the structural contradiction between the anarchic system of territorial sovereignty and an internet economy that thrives precisely because it ignores territorial boundaries. While it recognizes data governance as a problem requiring a global solution, it is so deeply rooted in sovereignty that it cannot get us out of the deepening hole we are currently in. Indeed, China’s mercantilist policies in the digital economy helped to dig the hole.
The eight elements of China’s proposed framework are listed below, at the end of this piece.
Note first how the Chinese framework repeatedly refers to data as something that belongs to states. The Chinese framework is based on the idea that data security is a collective right safeguarded by states, as opposed to individual rights of users safeguarded by contracts with service providers or globally applicable human rights protections recognized by states. Therefore, states’ claims of national security can always override any agreements between ICT product and service providers and their customers. As long as personal data is perceived as a “national resource” over which states exercise territorial sovereignty, we will remain stuck in the box we are currently in, as the world’s two biggest internet economies view each other with mistrust because they are geopolitical and military rivals. This means that China’s data security framework cannot move the world out of its current predicament.
Item #1 calls for “an open, secure and stable supply chain of global ICT products and services,” but China has translated “secure supply chain” to mean “domestically owned” in the case of cloud services and other areas, and now the US is doing the same thing. The result? A breakdown of global supply chains.
Item #3’s admonition not to engage in “unauthorized collection of personal information” is honored mainly in the breach by the Chinese and U.S. governments. China’s numerous breach-producing APTs are still highly active, and the U.S. is not about to give up the NSA’s formidable capabilities for mass surveillance (of, mostly, foreigners).
Item #5 says “States … shall not obtain data located in other States through companies or individuals without other States’ permission.” A fine norm if one is wedded to the sovereigntist framework, but the Americans don’t trust China to adhere to it, and vice-versa.
Global Initiative on Data Security
- States should handle data security in a comprehensive, objective and evidence-based manner, and maintain an open, secure and stable supply chain of global ICT products and services.
- States should stand against ICT activities that impair or steal important data of other States’ critical infrastructure, or use the data to conduct activities that undermine other States’ national security and public interests.
- States should take actions to prevent and put an end to activities that jeopardize personal information through the use of ICTs, and oppose mass surveillance against other States and unauthorized collection of personal information of other States with ICTs as a tool.
- States should encourage companies to abide by laws and regulations of the State where they operate. States should not request domestic companies to store data generated and obtained overseas in their own territory.
- States should respect the sovereignty, jurisdiction and governance of data of other States, and shall not obtain data located in other States through companies or individuals without other States’ permission.
- Should States need to obtain overseas data out of law enforcement requirement such as combating crimes, they should do it through judicial assistance or other relevant multilateral and bilateral agreements. Any bilateral data access agreement between two States should not infringe upon the judicial sovereignty and data security of a third State.
- ICT products and services providers should not install backdoors in their products and services to illegally obtain users’ data, control or manipulate users’ systems and devices.
- ICT companies should not seek illegitimate interests by taking advantage of users’ dependence on their products, nor force users to upgrade their systems and devices. Products providers should make a commitment to notifying their cooperation partners and users of serious vulnerabilities in their products in a timely fashion and offering remedies.